WordPress is one of the most widely used publishing platforms in the world today. Questions about security are therefore a natural topic to address.
So what about the small companies that don’t have millions to spend on security? And how secure is the WordPress platform? A website can never be 100% secure. It’s not possible because you have to balance functionality and security. A completely secure site cannot be accessible to visitors, which defeats the purpose of a website. Many of the issues discussed apply no matter which platform you choose, so this is valuable information even if you don’t use WordPress. Sveum Design offers a security package for WordPress. Read more here.
So what about the small companies that don’t have millions to spend on security? And how secure is the WordPress platform? A website can never be 100% secure. It’s not possible because you have to balance functionality and security. A completely secure site cannot be accessible to visitors, which defeats the purpose of a website. Many of the issues discussed apply no matter which platform you choose, so this is valuable information even if you don’t use WordPress. Sveum Design offers a security package for WordPress. Read more here.
Status for WordPress 2024
As of today, WordPress is both the most vulnerable and the most secure publishing platform you can use. We will now take a look at the reasons behind how this is possible.
First: You have made the best choice by choosing WordPress as CMS solution because you have the world’s largest team of programmers around the world working around the clock to keep WordPress safely.
How can you say that WordPress is the most vulnerable solution?
- 810 million websites use WordPress as a publishing solution. That is, approx. 43% of all websites in the world use WordPress as a publishing solution (over 64% of all CMS-installationes)
The fact that so many use WordPress makes it an attractive measure for hackers, but it gets worse:
- WordPress has an open source
This means that all programming information is available, and hackers can thus know what the code looks like. They can thus know how standard settings are set up.
- WordPress is relatively easy to install
As a result, not everyone thinks about what the settings should be, takes precautions or is aware of the security of their own website. If you don’t set up WordPress in the right way, you’ve already opened the door to hackers. That’s why WordPress is an attractive target for hackers. Software updates
In general, people wait too long to update the programming on their website because they are afraid that something will go wrong. That’s why outdated WordPress installations are the most common way for hackers to gain access to your website. When you don’t update your website, it’s even worse when 80% of all updates sent out are related to security. Normally, 20% of updates are related to functionality, so there is little chance that any of the functionality will be affected. These figures are based on plugins and themes that have been updated in the last 5 years.
- If you don’t update regularly, it’s estimated that 20-30% of the top 50 plugins/add-ons have some kind of vulnerability.
Be aware of free plugins:
- 8 out of 10 free themes and plugins that you find that are not published by the WordPress team have a so-called base64 encoding.
This is code that you cannot remove. In many cases, this can be harmless, and maybe just a code snippet at the bottom of the page that tells you who wrote the code. So who should you trust? A general rule of thumb is to use providers that have built up trust over a long period of time and are reliable. Weak passwords
The fact that WordPress is so popular and is used on many websites also provides great security. This is because a large team of programmers work around the clock to ensure that potential vulnerabilities are corrected, and security updates are sent out on an ongoing basis. In other words, you have a large and solid global network of highly qualified people who put security first. If you update regularly, hackers can no longer use outdated software as a gateway. But this means nothing if you use weak passwords. If you don’t have a secure password that includes upper and lower case letters, numbers and special characters, you’re giving hackers a new way in. Just as important as having a secure password is using different passwords everywhere. WordPress defaults to not locking users out if they enter the wrong password. This means that if someone gets hold of your password on a site that gets hacked, they might try that password elsewhere until they get logged in. So never use the same password on multiple websites – and set a limit on the number of possible login attempts in WordPress. You can also set your own admin username and password. Do not use the default username “admin”. Because this has been the default, hackers will try this first. If you look at the log of login attempts on your website for the last seven days, you will most likely find someone who has tried to log in with “admin”. Malware
This is malicious software locally on the computer or device you are using. When you log in to WordPress, you use your browser. If you have a virus on your own computer or receive an email with a virus, you can also give hackers access if you do not take precautions. This applies to everyone who logs in to the website – so think about who has access to update your site and how they use their personal computer. Vulnerable servers and web hosting
If you’re hosting your site with a provider that doesn’t update their web hosting, you may have a problem. If you want to be sure of your provider, you should look at price and references. But to be clear – the most expensive solution is not necessarily the most secure. Make sure that your provider updates the software on your web space and continuously ensures that security is top notch. File permissions
Don’t fall for the temptation to change file permissions via ftp as a quick fix. Permission 777 gives everyone access to view, edit and save the files on the FTP server, even without a password. It goes without saying that this is a security threat – so don’t do it.
Conclusion: If you don’t set up your WordPress site right, it will be like building your house on sand. You might have a beautiful house, but anyone can dig away the sand in an instant.
Is there hope?
Bottom line. Stay calm and be aware and alert. Lay a good foundation and make sure to update regularly, activate the right settings and have a secure password. By using WordPress, you become part of the largest group of developers who are constantly working to develop functionality and ensure the highest possible security for your website. Read more about how to secure WordPress here.
And as always: If an offer looks too good to be true – it probably is. No one can promise you a completely secure website. Balance functionality
Part of web security is balancing functionality with security. For example, if you don’t need comment functionality – remove it. By removing features you don’t need, you increase the security of your site. If you want users to be able to upload files to your website via a contact form – this will also affect security. So think carefully about what you need. In what area are you willing to lower security in favor of functionality? 100% security is not possible – unless the website is hosted on your own computer where no one can see it. You’ve already taken a big step by reading this article. Now all that’s left is for you to use the information you have available. Feel free to contact us to find out more. We haven’t mentioned backups in this article – but they can be very valuable to have if the worst comes to the worst. Do you want help protecting your website?